"Hey can someone send me the .env?" Every team has this conversation. It ends with secrets in DMs, email attachments, and screenshots. There's a better way.
Every team does it. Nobody talks about how bad it is.
"Who has the latest .env?" You copy from whoever responds first. Half the keys are outdated. The other half you don't need. You spend the morning debugging config.
Someone leaves. They have the .env on their laptop. Did they copy it anywhere? You don't know. You should rotate everything. You rotate the obvious ones and hope.
Every .env file ever shared. Every API key pasted in a DM. Searchable by anyone who joins the workspace. Forever. That's how Slack works.
Push encrypted secrets to the team. Everyone pulls what they need.
One person pushes. Everyone pulls. No Slack required.
# Sarah (the lead) has the canonical .env
# She encrypts and pushes to the backend
$ envv push .env --env development
Encrypting secrets...
Uploading to envv backend...
✓ Pushed 12 secrets to development
# Secrets encrypted locally with SOPS
# Only ciphertext transmitted
# Original .env never leaves her machine# Jordan (new hire) pulls on day one
# No Slack. No "who has the .env?"
$ envv pull --env development
Pulling secrets...
✓ Saved to .envv/.env.development.encrypted
$ envv run npm start
🔓 Running with development secrets (12 vars)
Server running on :3000
# Decrypted in memory, never on diskFrom zero to running code. No waiting for Sarah.
Sarah was never interrupted. Jordan didn't wait. The secrets never touched Slack.
New hire starts. How long until they're productive?
9:00 "Who has the .env file?"
9:15 Waiting for Sarah to get online
10:30 Sarah sends partial .env via Slack
10:45 "Missing DATABASE_URL"
11:00 Sarah is in a meeting
12:00 Lunch
13:00 Finally has all secrets
13:15 App runs
Total: half a day
(Sarah interrupted 3 times)9:00 envv auth register
9:01 envv pull --env development
9:02 envv run npm start
9:03 App runs
Total: 3 minutes
(Sarah never interrupted)
Create an org. Invite members. Push secrets.
That's it. Your team can now envv pull and start working.
Pull once, run anywhere. No network required after first sync.
Airplane mode. Flaky hotel wifi. CI runner without network access.
envv run automatically falls back to cached secrets. You keep working.
Cloud sync or local encryption. Your choice.
# Syncs latest, falls back to cache offline
envv run npm start
# Great for:
# - Teams sharing secrets
# - Always getting latest values
# - Works offline after first pull# Decrypts local file, no network ever
envv run -- npm start
# Great for:
# - Solo projects
# - CI/CD pipelines
# - Air-gapped environments# .env.example
DATABASE_URL=postgres://localhost/myapp
STRIPE_KEY=sk_test_xxxxx
# Problems:
# - .env.example often has real values
# - git history keeps everything forever
# - You still share real secrets via Slack# .env.encrypted (ciphertext)
DATABASE_URL=ENC[AES256_GCM,data:xxx...]
STRIPE_KEY=ENC[AES256_GCM,data:xxx...]
# Benefits:
# - Safe to commit
# - Real values, encrypted
# - Team pulls and decrypts locally# Copy from 1Password, paste into .env
# Every. Single. Time.
# Problems:
# - Manual copy-paste is error-prone
# - Secrets still end up in plaintext .env
# - No integration with your dev workflow# One command to rule them all
$ envv run npm start
# Benefits:
# - Secrets decrypted in memory
# - Never written to disk
# - Always in sync with teamWhat happens if you keep sharing .env files?
"We think credentials were leaked." Who has the .env? Everyone. What do we rotate? Everything. How long does that take? Days.
"Show us who has access to production credentials." You search Slack history. You check email. You ask around. You don't actually know.
Production is down. The intern is online. They have production database credentials because everyone has the same .env. What could go wrong?
Encrypt once. Pull anywhere. Run everywhere.
curl -fsSL https://getenvv.com/envv | sh